Web applications are generally not developed with security in mind, and
attacks can range from "simple defacement [to] credit card and thefts of
personal data," Soen said to eWEEK. Cross-site scripting, SQL infection
attacks, HTTP response splitting and data leaks are the most common
vulnerabilities, he said. He estimated over 80 percent of Web sites are
vulnerable to "detailed manual attacks."

FortiWeb 4.0 can monitor Web applications, automatically detect when
attackers deface the page and revert to the clean version, Soen said. A
real-time dashboard provides a high-level overview of traffic and attack
statistics, he said. Resource-intensive authentication processes such as LDAP
and NTLM can be offloaded onto the appliance to improve application
performance, he said. The URL rewriting capability was expanded to protect
underlying technology and site structure.
The appliance also enforces file restrictions to prevent unapproved file
types from being uploaded or executed, according to Soen. There is also a way
for IT managers to delete or mask credit card numbers to prevent data breaches.
PCI data security standards require applications to be protected with a Web
application firewall and a vulnerability assessment tool. FortiWeb's new
firmware delivers both elements in a single device, Soen said. The export and
import tool makes it easy to clone security policies that can be used on other
Fortinet products such as FortiGate,
FortiAP, FortiGuard, FortiManager, FortiAnalyzer and FortiDB.
The dashboard also provides up-to-date reports about PCI compliance, he said.
Network firewalls and intrusion/prevention systems are not sufficient to
defend Web applications, Soen said. Network firewalls can block attacks coming
from certain IP addresses and check ports, but is "blind" to most Web
application attacks because it has to let all traffic on port 80 through, he
said. IPS systems are also limited because
it can't read HTTPS and SSL traffic and
attackers are getting good at bypassing signature-based scanners, he said.
There are three members in the FortiWeb family, varying on network
capability. The 400B appliance targets the small business for PCI
compliance, offering 500GB of storage and the ability to process 10,000
transactions per second, Soen said. The midrange 1000C appliance comes with 1TB
of storage and can process up to 27,000 transactions per second. And the
enterprise-class, high-end 3000C model boasts 40,000 transactions per storage
and 2TB of storage, he said. Prices depend on the amount of traffic it has to
process, and range from $19,995 to $39,995, Soen said.
The FortiWeb product competes against Web application firewall systems from
Trustwave, F5, Imperva and Barracuda Networks, Soen said.